In prior control systems utilizing local networks, a user who was controlling operation of one or more industrial assets in an industrial environment was located nearby because operations could not be controlled remotely. With the growth of remote access to industrial assets (e.g., via Ethernet and wireless networks), users can connect to a given industrial control system from virtually anywhere. For example, mobile computing devices can access a control system via wireless communications, so a user could be located anywhere within a site's Wi-Fi network or offsite. This raises the possibility of user access in situations and locations where the user is unable to view the control system to see the changes being made, or is otherwise too far from the relevant system or equipment. Users can interact with machines, control systems and other industrial assets (e.g., making real-time changes to plant floor operations, reviewing performance and operational data).
These remote access capabilities allow various users to use a browser and/or applications to instantly access information about and make adjustments and changes to operating equipment whether the user is at another plant, in a control room or on the road. For example, the operator of an equipment line could determine if equipment was over-dispensing and remotely change parameters to reduce product waste. Such capabilities are helpful for system integrators and OEMs that want to monitor customer installations, perform diagnostics or provide support for visualization applications they have deployed and can be important for applications that require monitoring of remote, unattended sites, such as in the water/wastewater, oil and gas, and mining industries. However, some user interactions with machines, control systems and other industrial assets may require the person taking action only when physically present at the operations location.
Overview
Techniques to limit access to industrial assets in an industrial automation environment are disclosed herein. In at least one implementation, a specific industrial asset (also referred to as a “target device”) has a beacon system comprising one or more beacons (e.g., LE Bluetooth beacons). Each beacon broadcasts a beacon signal that enables a computing system that comprises a mobile device to measure the distance of the mobile device from the broadcasting beacon. Each beacon signal also can include access level data that defines what types of access are permitted for various users, depending on the user's authorization level (e.g., authorization levels being defined by an individual's role in a given company or industrial automation environment) and the calculated distance between the mobile device and the broadcasting beacon. The beacon signal data can be encrypted information that the mobile device is configured to decrypt and process. In some implementations the mobile device can provide directions to the user to enable an otherwise disallowed operation. Thus beacon-based industrial automation access authorization limits the operations that a user with a mobile device can perform on an industrial asset by detecting the mobile device's physical location utilizing a beacon system comprising one or more beacons associated with the relevant industrial asset. Access privileges for a given user (based on the user's organizational role) are defined by the beacon signal data and limited by the calculated mobile device distance from the industrial asset.